2

I am using PHPStorm and having some interesting errors/warnings showing up. Not sure if I skipped configuring something. Here is a query for example,

$query  = "INSERT INTO tblperson (";
$query .= "  personName, personLname, personNumber, personPhone, personAttr";
$query .= ") VALUES (";
$query .= "  '{$personName}', '{$personLname}', {$personNumber}, {$personPhone}, '{$personAttr}'";
$query .= ")";

And I get this warning: " expected, unexpected end of file" on first line of the code. Is there anything I am missing on this insert statement that PHPStorm warns me on?

When I run the code I can insert a record without any problems but still wonder maybe there might be an improvement that I am missing.

LazyOne
  • 158,824
  • 45
  • 388
  • 391
cevizmx
  • 371
  • 1
  • 8
  • 24
  • You already resolved this issue, but I will still comment on this a bit. *"Is there anything I am missing on this insert statement that PHPStorm warns me on?"* YES -- `INSERT INTO tblperson (` is invalid (incomplete, to be precise) SQL statement from any **real** SQL dialect (MySQL in your case). The `` dialect is "fake" dialect used for basic syntax highlighting only when no actual SQL inspections will be run against your code (which is what you should use for such code). – LazyOne Dec 22 '13 at 14:57
  • 1
    My suggestion here, is to alter your code (if it's yours, and you can actually do it) to get rid of such rather *unsafe* code and **use prepared statements / placeholders instead** as your current code is prone to SQL Injections (**proper** cleanup of input text/variables when using such SQL command building is quite difficult). – LazyOne Dec 22 '13 at 14:59
  • @LazyOne thank you for great answer! I am using real_escape_string for those values. Do you still suggest using prepared statement? Cause I will follow your lead here:) Which will take some time to implement ^^ – cevizmx Dec 23 '13 at 15:42
  • **Definitely YES**. Few examples: 1) http://stackoverflow.com/q/60174/783119 2) http://stackoverflow.com/q/3101307/783119 3) http://stackoverflow.com/q/3358950/783119 4) http://stackoverflow.com/q/732561/783119 5) http://stackoverflow.com/q/11454804/783119 and similar (just search for "real escape string vs prepared statements"). It all depends how well you can filter/escape your input. Overall prepared statements are safer. – LazyOne Dec 23 '13 at 15:58

2 Answers2

2

After adding the question, I continued searching and hit a similar problem on Stackoverflow which was suggesting SQL Dialects. PHPStorm has a setting under Preferences, I have changed it from MySQL to <SQL Keywords> and now it does not warn me on this error anymore. Just make sure you have selected the project and change the dialect so that all files beneath will inherit the same dialects.

Edit: As stated in the comments, I changed using PDO. The solution above was just avoiding the issue.

cevizmx
  • 371
  • 1
  • 8
  • 24
0

Adding this here because the other answer only disables the inspection everywhere and not just for a particular statement.

This issue occurs because the editor loses context when the SQL statement is split over multiple strings.

There is no proper way to actually ignore this error for just a single statement in the editor.

This issue can be reproduced by having your SQL inspections turned on and having a dialect set for the file project.

One potential workaround is to have the beginning of your statement split.

For example, change the below statement from

$start = "INSERT IGNORE INTO table1(";
$mid = ") VALUES (";
$end = ")";

to

$start = "INSERT " . "IGNORE INTO table1(";
$mid = ") VALUES (";
$end = ")";

This'll trick PhpStorm into thinking that your statement is just another string instead of treating it as SQL and performing an inspection on it.

I realise there may be other ways to write statements; however this answer allows for the style of statement in the original question while solving the problem of PhpStorm flagging an error for the particular statement.

Kit
  • 181
  • 1
  • 8